Update Security
Bob McDonald
bmcdonaldjr at gmail.com
Mon Mar 17 11:19:17 UTC 2014
Signed updates, that is...
On Sun, Mar 16, 2014 at 5:32 AM, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
> Ok so it's not painless. Do the updates still get forwarded to the master
> by the slaves or do I need to have all Windows devices needing update
> capability to point at the master?
>
> TIA,
>
> Bob
>
>
>
> On Fri, Mar 14, 2014 at 7:36 PM, Chris Buxton <clists at buxtonfamily.us>wrote:
>
>> On Mar 14, 2014, at 10:50 AM, Bob McDonald <bmcdonaldjr at gmail.com> wrote:
>>
>> > I agree that TSIG or SIG(0) signed updates are certainly a more
>> desirable approach than allowing updates via address. My DHCP server is
>> setup to sign all of it's updates this way. However, I have AD domain
>> controllers in the environment that don't currently use signed updates. Is
>> there a fairly painless way to convert all the AD machines to signed
>> updates?
>>
>> You would need to set up GSS-TSIG, which is not painless. (It's certainly
>> doable, but there are plenty of pitfalls to overcome.) Windows doesn't
>> support TSIG, just GSS-TSIG.
>>
>> AFAIK, use of GSS-TSIG requires update-policy instead of allow-update on
>> the master.
>>
>> Regards,
>> Chris Buxton.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140317/a9c3895b/attachment.html>
More information about the bind-users
mailing list